Elegant Themes’ Divi Builder is the most popular WordPress page builder. It enables users to build beautiful pages without knowing how to code. Over 600,000 websites are using Divi Builder. Many of these websites are also powered by the Divi or the Extra Theme.

Critical vulnerabilities were found in the Divi Builder Plugin, Divi Theme, and Extra Theme. This vulnerability can be exploited and could potentially damage your website. You must take immediate steps to fix the vulnerability. In this article, we’ll tell you what you need to protect your website.

What is the Divi Vulnerability & its Impact?

During a routine security audit, a type of vulnerability called the code injection vulnerability was discovered by the Elegant Themes team. It allows users roles like contributors, authors, and editors to execute certain PHP functions.

The vulnerability can be exploited by untrustworthy users. If you are affected by the vulnerability, you need to take immediate action.

Are You Affected by the Divi Vulnerability?

Websites running the following versions are affected by the vulnerability –

Divi Builder version 2.23 and above

Divi version 3.23 and above

Extra 2.23 and above

But how do you know what version you are running?

To learn what version of the Divi Builder plugin you are using, log into your WordPress dashboard, go to Plugins > Installed Plugins > Divi Builder. You will find a small description of the plugin along with the plugin version.

As for the themes, go to Appearance > Themes > Divi & Extra and then click on Details. You’ll find the version of the theme.

Go to Appearances > Themes > Divi

How to Fix Websites Affected by the Divi Vulnerability?

Updating the plugin and the themes will fix the issue.

Following the discovery of the vulnerability, the Elegant Themes team released a patch in the form of an update.

To update the plugin and themes, you need to log into your WordPress dashboard and select Updates from the menu.

Click on Updates

In the Updates page, you can see all the themes and plugins that you need to update.

Select Divi Builder plugin and click on Update Plugin

Select Divi and Extra theme and click and Update Theme

The plugin and themes will be updated to version 4.0.10 which contains the security patch.

What About Expired Divi Accounts?

If your Elegant Themes subscription has expired, don’t worry, you can still update the software. You don’t need to renew your subscription to receive the update. You can update the software from your WordPress dashboard.

Has Your Website Been Hacked?

Hackers are always on the lookout for vulnerabilities that they can exploit to carry out their misdeeds. If you have the slightest suspicion that your website is hacked (recommended read – signs of a hacked site), it’s best to scan your website. If it turns out that your site is hacked, then you can clean it instantly. Here’s how you can scan and clean your website.

Step 1: Install and activate the WordPress Security Plugin called MalCare. Then add your website to the MalCare dashboard and it will start auto-scanning your website immediately. If it finds malware, you will be notified.

Conclusion

Even if you trust all your users and feel your website is not in harm’s way right now, you should patch the vulnerability.

If a hacker gains access to one of these user accounts, they can exploit the vulnerability to execute malicious commands. The repercussions that follow are severe and expensive to fix. Hence update your Divi Builder plugin, Divi & Extra theme immediately.

We hope you understand how important it is to keep your website updated at all times. The themes and plugins that you use will develop vulnerabilities over time. When developers discover the vulnerability, they release an update with a security patch.

Apart from such vulnerabilities, there are many more threats that your WordPress website can face like brute force attacks on your login page among others. To protect your website from all kinds of threats you need to use a security plugin like MalCare. It scans your website daily, cleans it instantly if it’s hacked and protects it from hackers and bots.